The Temporal UI uses some 'readOnlyGlobalAPI’s (like list namespaces) in order to function. In order to use the UI and the defaultAuthorizer and defaultJWTClaimMapper I before v1.21.0 required any user to have a system:read to access the global APIs role and a <namespace>:<role> to perform the work they needed in there namespace.
This was was a bit of a pain as it meant anyone with UI access could always have read access to all non-system namespaces, but we lived with it.
Now in v1.21.0 the system:read requirement for readOnlyGlobalAPI has been changed to temporal-system:read which means anyone who needs to use the UI will now be able to access the temporal-system namespace.
Is it possible to introduce a new role specifically for ‘readOnlyGlobalAPI’ access? Something like temporal-global-api:read? This would allow our UI users to use the Temporal UI and only access their own namespace and the global APIs?